Actions
tickets #163901
openElasticsearch AppArmor not enforced
Status:
New
Priority:
Normal
Assignee:
-
Category:
Wiki
Target version:
-
Start date:
2024-07-14
Due date:
% Done:
0%
Estimated time:
Description
water3 (en.o.o search backend):~ # aa-unconfined |grep java
2178 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (/usr/bin/java) confined by 'elasticsearch//null-/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (complain)'
water (en.o.o search backend):~ # aa-unconfined |grep java
2064 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (/usr/bin/java) not confined
Systemd hardening for the units is pretty much non-existent too.
Given the ancient version of Elasticsearch, and the service being exposed on the internet through the search feature on public wiki instances, I deem this concerning.
Actions